Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-08-14 07:27:10 +0200
committerTakashi Iwai <tiwai@suse.de>2018-08-14 07:27:10 +0200
commita015d477cc4ba5c84e5ae6055a3ec370c49ca548 (patch)
tree9ef9f45c5d57ad2be4ad31e6a3c837ffaa23fa63
parent80d095f60aa3d04455e6c45bc8d82cc03185b551 (diff)
parent6fd939d9988cb2a7ea765d0606348acf8ca24501 (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3
-rw-r--r--patches.arch/powerpc-fadump-handle-crash-memory-ranges-array-inde.patch270
-rw-r--r--patches.arch/powerpc-fadump-merge-adjacent-memory-ranges-to-reduc.patch99
-rw-r--r--patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch45
-rw-r--r--patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch48
-rw-r--r--patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch124
-rw-r--r--patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch76
-rw-r--r--patches.fixes/ext4-do-not-update-s_last_mounted-of-a-frozen-fs.patch82
-rw-r--r--patches.fixes/ext4-factor-out-helper-ext4_sample_last_mounted.patch114
-rw-r--r--patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch70
-rw-r--r--patches.fixes/ext4-fix-false-negatives-and-false-positives-in-ext4.patch55
-rw-r--r--patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch165
-rw-r--r--patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch39
-rw-r--r--patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch38
-rw-r--r--patches.kernel.org/4.4.140-022-jbd2-don-t-mark-block-as-modified-if-the-hand.patch3
-rw-r--r--patches.kernel.org/4.4.140-023-ext4-make-sure-bitmaps-and-the-inode-table-do.patch3
-rw-r--r--patches.kernel.org/4.4.140-024-ext4-always-check-block-group-bounds-in-ext4_.patch3
-rw-r--r--patches.kernel.org/4.4.140-025-ext4-only-look-at-the-bg_flags-field-if-it-is.patch3
-rw-r--r--patches.kernel.org/4.4.140-026-ext4-verify-the-depth-of-extent-tree-in-ext4_.patch3
-rw-r--r--patches.kernel.org/4.4.140-028-ext4-clear-i_data-in-ext4_inode_info-when-rem.patch3
-rw-r--r--patches.kernel.org/4.4.140-029-ext4-add-more-inode-number-paranoia-checks.patch2
-rw-r--r--patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch113
-rw-r--r--series.conf16
22 files changed, 1367 insertions, 7 deletions
diff --git a/patches.arch/powerpc-fadump-handle-crash-memory-ranges-array-inde.patch b/patches.arch/powerpc-fadump-handle-crash-memory-ranges-array-inde.patch
new file mode 100644
index 0000000000..8da4ac959b
--- /dev/null
+++ b/patches.arch/powerpc-fadump-handle-crash-memory-ranges-array-inde.patch
@@ -0,0 +1,270 @@
+From 1bd6a1c4b80a28d975287630644e6b47d0f977a5 Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Tue, 7 Aug 2018 02:12:45 +0530
+Subject: [PATCH] powerpc/fadump: handle crash memory ranges array index
+ overflow
+
+References: bsc#1103269
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: 1bd6a1c4b80a28d975287630644e6b47d0f977a5
+
+Crash memory ranges is an array of memory ranges of the crashing kernel
+to be exported as a dump via /proc/vmcore file. The size of the array
+is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases
+where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS
+value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since
+commit 142b45a72e22 ("memblock: Add array resizing support").
+
+On large memory systems with a few DLPAR operations, the memblock memory
+regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such
+systems, registering fadump results in crash or other system failures
+like below:
+
+ task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000
+ NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180
+ REGS: c00000000b73b570 TRAP: 0300 Tainted: G L X (4.4.140+)
+ MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 22004484 XER: 20000000
+ CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0
+ ...
+ NIP [c000000000047df4] smp_send_reschedule+0x24/0x80
+ LR [c0000000000f9e58] resched_curr+0x138/0x160
+ Call Trace:
+ resched_curr+0x138/0x160 (unreliable)
+ check_preempt_curr+0xc8/0xf0
+ ttwu_do_wakeup+0x38/0x150
+ try_to_wake_up+0x224/0x4d0
+ __wake_up_common+0x94/0x100
+ ep_poll_callback+0xac/0x1c0
+ __wake_up_common+0x94/0x100
+ __wake_up_sync_key+0x70/0xa0
+ sock_def_readable+0x58/0xa0
+ unix_stream_sendmsg+0x2dc/0x4c0
+ sock_sendmsg+0x68/0xa0
+ ___sys_sendmsg+0x2cc/0x2e0
+ __sys_sendmsg+0x5c/0xc0
+ SyS_socketcall+0x36c/0x3f0
+ system_call+0x3c/0x100
+
+as array index overflow is not checked for while setting up crash memory
+ranges causing memory corruption. To resolve this issue, dynamically
+allocate memory for crash memory ranges and resize it incrementally,
+in units of pagesize, on hitting array size limit.
+
+Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Reviewed-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+[mpe: Just use PAGE_SIZE directly, fixup variable placement]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+[msu: include linux/slab.h for *alloc functions]
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/include/asm/fadump.h | 3 --
+ arch/powerpc/kernel/fadump.c | 92 +++++++++++++++++++++++++++++++++------
+ 2 files changed, 78 insertions(+), 17 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/fadump.h b/arch/powerpc/include/asm/fadump.h
+index 0417cbc8f378..ff1be0f5d256 100644
+--- a/arch/powerpc/include/asm/fadump.h
++++ b/arch/powerpc/include/asm/fadump.h
+@@ -196,9 +196,6 @@ struct fadump_crash_info_header {
+ struct cpumask cpu_online_mask;
+ };
+
+-/* Crash memory ranges */
+-#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2)
+-
+ struct fad_crash_memory_ranges {
+ unsigned long long base;
+ unsigned long long size;
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 16d8b61030fd..25c9c3fca6c9 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -35,6 +35,7 @@
+ #include <linux/crash_dump.h>
+ #include <linux/kobject.h>
+ #include <linux/sysfs.h>
++#include <linux/slab.h>
+
+ #include <asm/page.h>
+ #include <asm/prom.h>
+@@ -48,8 +49,10 @@ static struct fadump_mem_struct fdm;
+ static const struct fadump_mem_struct *fdm_active;
+
+ static DEFINE_MUTEX(fadump_mutex);
+-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES];
++struct fad_crash_memory_ranges *crash_memory_ranges;
++int crash_memory_ranges_size;
+ int crash_mem_ranges;
++int max_crash_mem_ranges;
+
+ /* Scan the Firmware Assisted dump configuration details. */
+ int __init early_init_dt_scan_fw_dump(unsigned long node,
+@@ -848,38 +851,88 @@ static int __init process_fadump(const struct fadump_mem_struct *fdm_active)
+ return 0;
+ }
+
+-static inline void fadump_add_crash_memory(unsigned long long base,
+- unsigned long long end)
++static void free_crash_memory_ranges(void)
++{
++ kfree(crash_memory_ranges);
++ crash_memory_ranges = NULL;
++ crash_memory_ranges_size = 0;
++ max_crash_mem_ranges = 0;
++}
++
++/*
++ * Allocate or reallocate crash memory ranges array in incremental units
++ * of PAGE_SIZE.
++ */
++static int allocate_crash_memory_ranges(void)
++{
++ struct fad_crash_memory_ranges *new_array;
++ u64 new_size;
++
++ new_size = crash_memory_ranges_size + PAGE_SIZE;
++ pr_debug("Allocating %llu bytes of memory for crash memory ranges\n",
++ new_size);
++
++ new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL);
++ if (new_array == NULL) {
++ pr_err("Insufficient memory for setting up crash memory ranges\n");
++ free_crash_memory_ranges();
++ return -ENOMEM;
++ }
++
++ crash_memory_ranges = new_array;
++ crash_memory_ranges_size = new_size;
++ max_crash_mem_ranges = (new_size /
++ sizeof(struct fad_crash_memory_ranges));
++ return 0;
++}
++
++static inline int fadump_add_crash_memory(unsigned long long base,
++ unsigned long long end)
+ {
+ if (base == end)
+- return;
++ return 0;
++
++ if (crash_mem_ranges == max_crash_mem_ranges) {
++ int ret;
++
++ ret = allocate_crash_memory_ranges();
++ if (ret)
++ return ret;
++ }
+
+ pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n",
+ crash_mem_ranges, base, end - 1, (end - base));
+ crash_memory_ranges[crash_mem_ranges].base = base;
+ crash_memory_ranges[crash_mem_ranges].size = end - base;
+ crash_mem_ranges++;
++ return 0;
+ }
+
+-static void fadump_exclude_reserved_area(unsigned long long start,
++static int fadump_exclude_reserved_area(unsigned long long start,
+ unsigned long long end)
+ {
+ unsigned long long ra_start, ra_end;
++ int ret = 0;
+
+ ra_start = fw_dump.reserve_dump_area_start;
+ ra_end = ra_start + fw_dump.reserve_dump_area_size;
+
+ if ((ra_start < end) && (ra_end > start)) {
+ if ((start < ra_start) && (end > ra_end)) {
+- fadump_add_crash_memory(start, ra_start);
+- fadump_add_crash_memory(ra_end, end);
++ ret = fadump_add_crash_memory(start, ra_start);
++ if (ret)
++ return ret;
++
++ ret = fadump_add_crash_memory(ra_end, end);
+ } else if (start < ra_start) {
+- fadump_add_crash_memory(start, ra_start);
++ ret = fadump_add_crash_memory(start, ra_start);
+ } else if (ra_end < end) {
+- fadump_add_crash_memory(ra_end, end);
++ ret = fadump_add_crash_memory(ra_end, end);
+ }
+ } else
+- fadump_add_crash_memory(start, end);
++ ret = fadump_add_crash_memory(start, end);
++
++ return ret;
+ }
+
+ static int fadump_init_elfcore_header(char *bufp)
+@@ -915,10 +968,11 @@ static int fadump_init_elfcore_header(char *bufp)
+ * Traverse through memblock structure and setup crash memory ranges. These
+ * ranges will be used create PT_LOAD program headers in elfcore header.
+ */
+-static void fadump_setup_crash_memory_ranges(void)
++static int fadump_setup_crash_memory_ranges(void)
+ {
+ struct memblock_region *reg;
+ unsigned long long start, end;
++ int ret;
+
+ pr_debug("Setup crash memory ranges.\n");
+ crash_mem_ranges = 0;
+@@ -929,7 +983,9 @@ static void fadump_setup_crash_memory_ranges(void)
+ * specified during fadump registration. We need to create a separate
+ * program header for this chunk with the correct offset.
+ */
+- fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
++ ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
++ if (ret)
++ return ret;
+
+ for_each_memblock(memory, reg) {
+ start = (unsigned long long)reg->base;
+@@ -949,8 +1005,12 @@ static void fadump_setup_crash_memory_ranges(void)
+ }
+
+ /* add this range excluding the reserved dump area. */
+- fadump_exclude_reserved_area(start, end);
++ ret = fadump_exclude_reserved_area(start, end);
++ if (ret)
++ return ret;
+ }
++
++ return 0;
+ }
+
+ /*
+@@ -1074,6 +1134,7 @@ static int register_fadump(void)
+ {
+ unsigned long addr;
+ void *vaddr;
++ int ret;
+
+ /*
+ * If no memory is reserved then we can not register for firmware-
+@@ -1082,7 +1143,9 @@ static int register_fadump(void)
+ if (!fw_dump.reserve_dump_area_size)
+ return -ENODEV;
+
+- fadump_setup_crash_memory_ranges();
++ ret = fadump_setup_crash_memory_ranges();
++ if (ret)
++ return ret;
+
+ addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len);
+ /* Initialize fadump crash info header. */
+@@ -1161,6 +1224,7 @@ void fadump_cleanup(void)
+ } else if (fw_dump.dump_registered) {
+ /* Un-register Firmware-assisted dump if it was registered. */
+ fadump_unregister_dump(&fdm);
++ free_crash_memory_ranges();
+ }
+ }
+
+--
+2.13.7
+
diff --git a/patches.arch/powerpc-fadump-merge-adjacent-memory-ranges-to-reduc.patch b/patches.arch/powerpc-fadump-merge-adjacent-memory-ranges-to-reduc.patch
new file mode 100644
index 0000000000..bb3058e2aa
--- /dev/null
+++ b/patches.arch/powerpc-fadump-merge-adjacent-memory-ranges-to-reduc.patch
@@ -0,0 +1,99 @@
+From ced1bf52f47783135b985d2aacf53fa77fd72e2e Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Tue, 7 Aug 2018 02:12:54 +0530
+Subject: [PATCH] powerpc/fadump: merge adjacent memory ranges to reduce
+ PT_LOAD segements
+
+References: bsc#1103269
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: ced1bf52f47783135b985d2aacf53fa77fd72e2e
+
+With dynamic memory allocation support for crash memory ranges array,
+there is no hard limit on the no. of crash memory ranges kernel could
+export, but program headers count could overflow in the /proc/vmcore
+ELF file while exporting each memory range as PT_LOAD segment. Reduce
+the likelihood of a such scenario, by folding adjacent crash memory
+ranges which minimizes the total number of PT_LOAD segments.
+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Reviewed-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kernel/fadump.c | 45 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 36 insertions(+), 9 deletions(-)
+
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 25c9c3fca6c9..b41413ed6e95 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -889,22 +889,41 @@ static int allocate_crash_memory_ranges(void)
+ static inline int fadump_add_crash_memory(unsigned long long base,
+ unsigned long long end)
+ {
++ u64 start, size;
++ bool is_adjacent = false;
++
+ if (base == end)
+ return 0;
+
+- if (crash_mem_ranges == max_crash_mem_ranges) {
+- int ret;
++ /*
++ * Fold adjacent memory ranges to bring down the memory ranges/
++ * PT_LOAD segments count.
++ */
++ if (crash_mem_ranges) {
++ start = crash_memory_ranges[crash_mem_ranges - 1].base;
++ size = crash_memory_ranges[crash_mem_ranges - 1].size;
+
+- ret = allocate_crash_memory_ranges();
+- if (ret)
+- return ret;
++ if ((start + size) == base)
++ is_adjacent = true;
++ }
++ if (!is_adjacent) {
++ /* resize the array on reaching the limit */
++ if (crash_mem_ranges == max_crash_mem_ranges) {
++ int ret;
++
++ ret = allocate_crash_memory_ranges();
++ if (ret)
++ return ret;
++ }
++
++ start = base;
++ crash_memory_ranges[crash_mem_ranges].base = start;
++ crash_mem_ranges++;
+ }
+
++ crash_memory_ranges[crash_mem_ranges - 1].size = (end - start);
+ pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n",
+- crash_mem_ranges, base, end - 1, (end - base));
+- crash_memory_ranges[crash_mem_ranges].base = base;
+- crash_memory_ranges[crash_mem_ranges].size = end - base;
+- crash_mem_ranges++;
++ (crash_mem_ranges - 1), start, end - 1, (end - start));
+ return 0;
+ }
+
+@@ -976,6 +995,14 @@ static int fadump_setup_crash_memory_ranges(void)
+
+ pr_debug("Setup crash memory ranges.\n");
+ crash_mem_ranges = 0;
++
++ /* allocate memory for crash memory ranges for the first time */
++ if (!max_crash_mem_ranges) {
++ ret = allocate_crash_memory_ranges();
++ if (ret)
++ return ret;
++ }
++
+ /*
+ * add the first memory chunk (RMA_START through boot_memory_size) as
+ * a separate memory chunk. The reason is, at the time crash firmware
+--
+2.13.7
+
diff --git a/patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
new file mode 100644
index 0000000000..ec4a754815
--- /dev/null
+++ b/patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
@@ -0,0 +1,45 @@
+From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:23:11 -0400
+Subject: [PATCH] ext4: add corruption check in ext4_xattr_set_entry()
+Git-commit: 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d
+Patch-mainline: v4.18-rc4
+References: bsc#1099844 cve-2018-10879
+
+In theory this should have been caught earlier when the xattr list was
+verified, but in case it got missed, it's simple enough to add check
+to make sure we don't overrun the xattr buffer.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/xattr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -652,12 +652,15 @@ static size_t ext4_xattr_free_space(stru
+ static int
+ ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s)
+ {
+- struct ext4_xattr_entry *last;
++ struct ext4_xattr_entry *last, *next;
+ size_t free, min_offs = s->end - s->base, name_len = strlen(i->name);
+
+ /* Compute min_offs and last. */
+ last = s->first;
+- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
++ for (; !IS_LAST_ENTRY(last); last = next) {
++ next = EXT4_XATTR_NEXT(last);
++ if ((void *)next >= s->end)
++ return -EFSCORRUPTED;
+ if (!last->e_value_block && last->e_value_size) {
+ size_t offs = le16_to_cpu(last->e_value_offs);
+ if (offs < min_offs)
diff --git a/patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch b/patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
new file mode 100644
index 0000000000..299a6dc3ca
--- /dev/null
+++ b/patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
@@ -0,0 +1,48 @@
+From 513f86d73855ce556ea9522b6bfd79f87356dc3a Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:51:28 -0400
+Subject: [PATCH] ext4: always verify the magic number in xattr blocks
+Git-commit: 513f86d73855ce556ea9522b6bfd79f87356dc3a
+Patch-mainline: v4.18-rc4
+References: bsc#1099844 cve-2018-10879
+
+If there an inode points to a block which is also some other type of
+metadata block (such as a block allocation bitmap), the
+buffer_verified flag can be set when it was validated as that other
+metadata block type; however, it would make a really terrible external
+attribute block. The reason why we use the verified flag is to avoid
+constantly reverifying the block. However, it doesn't take much
+overhead to make sure the magic number of the xattr block is correct,
+and this will avoid potential crashes.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/xattr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -218,12 +218,12 @@ ext4_xattr_check_block(struct inode *ino
+ {
+ int error;
+
+- if (buffer_verified(bh))
+- return 0;
+-
+ if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
+ BHDR(bh)->h_blocks != cpu_to_le32(1))
+ return -EFSCORRUPTED;
++ if (buffer_verified(bh))
++ return 0;
++
+ if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh)))
+ return -EFSBADCRC;
+ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
diff --git a/patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch b/patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
new file mode 100644
index 0000000000..ba7334fee6
--- /dev/null
+++ b/patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
@@ -0,0 +1,124 @@
+From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 23:41:59 -0400
+Subject: [PATCH] ext4: avoid running out of journal credits when appending to
+ an inline file
+Git-commit: 8bc1379b82b8e809eef77a9fedbb75c6c297be19
+Patch-mainline: v4.18-rc4
+References: bsc#1099863 cve-2018-10883
+
+Use a separate journal transaction if it turns out that we need to
+convert an inline file to use an data block. Otherwise we could end
+up failing due to not having journal credits.
+
+This addresses CVE-2018-10883.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200071
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/ext4.h | 3 ---
+ fs/ext4/inline.c | 38 +-------------------------------------
+ fs/ext4/xattr.c | 18 ++----------------
+ 3 files changed, 3 insertions(+), 56 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -3051,9 +3051,6 @@ extern struct buffer_head *ext4_get_firs
+ extern int ext4_inline_data_fiemap(struct inode *inode,
+ struct fiemap_extent_info *fieinfo,
+ int *has_inline, __u64 start, __u64 len);
+-extern int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed);
+ extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
+
+ extern int ext4_convert_inline_data(struct inode *inode);
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -889,11 +889,11 @@ retry_journal:
+ flags |= AOP_FLAG_NOFS;
+
+ if (ret == -ENOSPC) {
++ ext4_journal_stop(handle);
+ ret = ext4_da_convert_inline_data_to_extent(mapping,
+ inode,
+ flags,
+ fsdata);
+- ext4_journal_stop(handle);
+ if (ret == -ENOSPC &&
+ ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry_journal;
+@@ -1866,42 +1866,6 @@ out:
+ return (error < 0 ? error : 0);
+ }
+
+-/*
+- * Called during xattr set, and if we can sparse space 'needed',
+- * just create the extent tree evict the data to the outer block.
+- *
+- * We use jbd2 instead of page cache to move data to the 1st block
+- * so that the whole transaction can be committed as a whole and
+- * the data isn't lost because of the delayed page cache write.
+- */
+-int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed)
+-{
+- int error;
+- struct ext4_xattr_entry *entry;
+- struct ext4_inode *raw_inode;
+- struct ext4_iloc iloc;
+-
+- error = ext4_get_inode_loc(inode, &iloc);
+- if (error)
+- return error;
+-
+- raw_inode = ext4_raw_inode(&iloc);
+- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
+- EXT4_I(inode)->i_inline_off);
+- if (EXT4_XATTR_LEN(entry->e_name_len) +
+- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
+- error = -ENOSPC;
+- goto out;
+- }
+-
+- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
+-out:
+- brelse(iloc.bh);
+- return error;
+-}
+-
+ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ {
+ handle_t *handle;
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1086,22 +1086,8 @@ int ext4_xattr_ibody_inline_set(handle_t
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+ error = ext4_xattr_set_entry(i, s);
+- if (error) {
+- if (error == -ENOSPC &&
+- ext4_has_inline_data(inode)) {
+- error = ext4_try_to_evict_inline_data(handle, inode,
+- EXT4_XATTR_LEN(strlen(i->name) +
+- EXT4_XATTR_SIZE(i->value_len)));
+- if (error)
+- return error;
+- error = ext4_xattr_ibody_find(inode, i, is);
+- if (error)
+- return error;
+- error = ext4_xattr_set_entry(i, s);
+- }
+- if (error)
+- return error;
+- }
++ if (error)
++ return error;
+ header = IHDR(inode, ext4_raw_inode(&is->iloc));
+ if (!IS_LAST_ENTRY(s->first)) {
+ header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
diff --git a/patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch b/patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch
new file mode 100644
index 0000000000..e84b41463e
--- /dev/null
+++ b/patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch
@@ -0,0 +1,76 @@
+From 8d5a803c6a6ce4ec258e31f76059ea5153ba46ef Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 12 Jul 2018 19:08:05 -0400
+Subject: [PATCH] ext4: check for allocation block validity with block group
+ locked
+Git-commit: 8d5a803c6a6ce4ec258e31f76059ea5153ba46ef
+Patch-mainline: v4.18-rc7
+References: bsc#1104495
+
+With commit 044e6e3d74a3: "ext4: don't update checksum of new
+initialized bitmaps" the buffer valid bit will get set without
+actually setting up the checksum for the allocation bitmap, since the
+checksum will get calculated once we actually allocate an inode or
+block.
+
+If we are doing this, then we need to (re-)check the verified bit
+after we take the block group lock. Otherwise, we could race with
+another process reading and verifying the bitmap, which would then
+complain about the checksum being invalid.
+
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780137
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/balloc.c | 3 +++
+ fs/ext4/ialloc.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index e68cefe08261..aa52d87985aa 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -368,6 +368,8 @@ static int ext4_validate_block_bitmap(struct super_block *sb,
+ return -EFSCORRUPTED;
+
+ ext4_lock_group(sb, block_group);
++ if (buffer_verified(bh))
++ goto verified;
+ if (unlikely(!ext4_block_bitmap_csum_verify(sb, block_group,
+ desc, bh))) {
+ ext4_unlock_group(sb, block_group);
+@@ -386,6 +388,7 @@ static int ext4_validate_block_bitmap(struct super_block *sb,
+ return -EFSCORRUPTED;
+ }
+ set_buffer_verified(bh);
++verified:
+ ext4_unlock_group(sb, block_group);
+ return 0;
+ }
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index fb83750c1a14..e9d8e2667ab5 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -90,6 +90,8 @@ static int ext4_validate_inode_bitmap(struct super_block *sb,
+ return -EFSCORRUPTED;
+
+ ext4_lock_group(sb, block_group);
++ if (buffer_verified(bh))
++ goto verified;
+ blk = ext4_inode_bitmap(sb, desc);
+ if (!ext4_inode_bitmap_csum_verify(sb, block_group, desc, bh,
+ EXT4_INODES_PER_GROUP(sb) / 8)) {
+@@ -101,6 +103,7 @@ static int ext4_validate_inode_bitmap(struct super_block *sb,
+ return -EFSBADCRC;
+ }
+ set_buffer_verified(bh);
++verified:
+ ext4_unlock_group(sb, block_group);
+ return 0;
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-do-not-update-s_last_mounted-of-a-frozen-fs.patch b/patches.fixes/ext4-do-not-update-s_last_mounted-of-a-frozen-fs.patch
new file mode 100644
index 0000000000..e8364fe8a6
--- /dev/null
+++ b/patches.fixes/ext4-do-not-update-s_last_mounted-of-a-frozen-fs.patch
@@ -0,0 +1,82 @@
+From db6516a5e7ddb6dc72d167b920f2f272596ea22d Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 13 May 2018 22:54:44 -0400
+Subject: [PATCH] ext4: do not update s_last_mounted of a frozen fs
+Git-commit: db6516a5e7ddb6dc72d167b920f2f272596ea22d
+Patch-mainline: v4.18-rc1
+References: bsc#1101841
+
+If fs is frozen after mount and before the first file open, the
+update of s_last_mounted bypasses freeze protection and prints out
+a WARNING splat:
+
+$ mount /vdf
+$ fsfreeze -f /vdf
+$ cat /vdf/foo
+
+[ 31.578555] WARNING: CPU: 1 PID: 1415 at
+fs/ext4/ext4_jbd2.c:53 ext4_journal_check_start+0x48/0x82
+
+[ 31.614016] Call Trace:
+[ 31.614997] __ext4_journal_start_sb+0xe4/0x1a4
+[ 31.616771] ? ext4_file_open+0xb6/0x189
+[ 31.618094] ext4_file_open+0xb6/0x189
+
+If fs is frozen, skip s_last_mounted update.
+
+[backport hint: to apply to stable tree, need to apply also patches
+ vfs: add the sb_start_intwrite_trylock() helper
+ ext4: factor out helper ext4_sample_last_mounted()]
+
+Cc: stable@vger.kernel.org
+Fixes: bc0b0d6d69ee ("ext4: update the s_last_mounted field in the superblock")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/file.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -396,7 +396,7 @@ static int ext4_sample_last_mounted(stru
+ if (likely(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED))
+ return 0;
+
+- if (sb->s_flags & MS_RDONLY)
++ if ((sb->s_flags & MS_RDONLY) || !sb_start_intwrite_trylock(sb))
+ return 0;
+
+ sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
+@@ -410,21 +410,25 @@ static int ext4_sample_last_mounted(stru
+ path.mnt = mnt;
+ path.dentry = mnt->mnt_root;
+ cp = d_path(&path, buf, sizeof(buf));
++ err = 0;
+ if (IS_ERR(cp))
+- return 0;
++ goto out;
+
+ handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
++ err = PTR_ERR(handle);
+ if (IS_ERR(handle))
+- return PTR_ERR(handle);
++ goto out;
+ BUFFER_TRACE(sbi->s_sbh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+ if (err)
+- goto out;
++ goto out_journal;
+ strlcpy(sbi->s_es->s_last_mounted, cp,
+ sizeof(sbi->s_es->s_last_mounted));
+ ext4_handle_dirty_super(handle, sb);
+-out:
++out_journal:
+ ext4_journal_stop(handle);
++out:
++ sb_end_intwrite(sb);
+ return err;
+ }
+
diff --git a/patches.fixes/ext4-factor-out-helper-ext4_sample_last_mounted.patch b/patches.fixes/ext4-factor-out-helper-ext4_sample_last_mounted.patch
new file mode 100644
index 0000000000..784d99b2ce
--- /dev/null
+++ b/patches.fixes/ext4-factor-out-helper-ext4_sample_last_mounted.patch
@@ -0,0 +1,114 @@
+From 833a950882d33a7dfc319d5e152fdf35028936eb Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 13 May 2018 22:44:23 -0400
+Subject: [PATCH] ext4: factor out helper ext4_sample_last_mounted()
+Git-commit: 833a950882d33a7dfc319d5e152fdf35028936eb
+Patch-mainline: v4.18-rc1
+References: bsc#1101841
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/file.c | 83 ++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 47 insertions(+), 36 deletions(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -356,47 +356,58 @@ static int ext4_file_mmap(struct file *f
+ return 0;
+ }
+
+-static int ext4_file_open(struct inode * inode, struct file * filp)
++static int ext4_sample_last_mounted(struct super_block *sb,
++ struct vfsmount *mnt)
+ {
+- struct super_block *sb = inode->i_sb;
+- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+- struct vfsmount *mnt = filp->f_path.mnt;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct path path;
+ char buf[64], *cp;
++ handle_t *handle;
++ int err;
++
++ if (likely(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED))
++ return 0;
++
++ if (sb->s_flags & MS_RDONLY)
++ return 0;
++
++ sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
++ /*
++ * Sample where the filesystem has been mounted and
++ * store it in the superblock for sysadmin convenience
++ * when trying to sort through large numbers of block
++ * devices or filesystem images.
++ */
++ memset(buf, 0, sizeof(buf));
++ path.mnt = mnt;
++ path.dentry = mnt->mnt_root;
++ cp = d_path(&path, buf, sizeof(buf));
++ if (IS_ERR(cp))
++ return 0;
++
++ handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
++ if (IS_ERR(handle))
++ return PTR_ERR(handle);
++ BUFFER_TRACE(sbi->s_sbh, "get_write_access");
++ err = ext4_journal_get_write_access(handle, sbi->s_sbh);
++ if (err)
++ goto out;
++ strlcpy(sbi->s_es->s_last_mounted, cp,
++ sizeof(sbi->s_es->s_last_mounted));
++ ext4_handle_dirty_super(handle, sb);
++out:
++ ext4_journal_stop(handle);
++ return err;
++}
++
++static int ext4_file_open(struct inode * inode, struct file * filp)
++{
+ int ret;
+
+- if (unlikely(!(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED) &&
+- !(sb->s_flags & MS_RDONLY))) {
+- sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
+- /*
+- * Sample where the filesystem has been mounted and
+- * store it in the superblock for sysadmin convenience
+- * when trying to sort through large numbers of block
+- * devices or filesystem images.
+- */
+- memset(buf, 0, sizeof(buf));
+- path.mnt = mnt;
+- path.dentry = mnt->mnt_root;
+- cp = d_path(&path, buf, sizeof(buf));
+- if (!IS_ERR(cp)) {
+- handle_t *handle;
+- int err;
+-
+- handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
+- if (IS_ERR(handle))
+- return PTR_ERR(handle);
+- BUFFER_TRACE(sbi->s_sbh, "get_write_access");
+- err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+- if (err) {
+- ext4_journal_stop(handle);
+- return err;
+- }
+- strlcpy(sbi->s_es->s_last_mounted, cp,
+- sizeof(sbi->s_es->s_last_mounted));
+- ext4_handle_dirty_super(handle, sb);
+- ext4_journal_stop(handle);
+- }
+- }
++ ret = ext4_sample_last_mounted(inode->i_sb, filp->f_path.mnt);
++ if (ret)
++ return ret;
++
+ if (ext4_encrypted_inode(inode)) {
+ ret = ext4_get_encryption_info(inode);
+ if (ret)
diff --git a/patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch b/patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch
new file mode 100644
index 0000000000..b31210088a
--- /dev/null
+++ b/patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch
@@ -0,0 +1,70 @@
+From 5012284700775a4e6e3fbe7eac4c543c4874b559 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 28 Jul 2018 08:12:04 -0400
+Subject: [PATCH] ext4: fix check to prevent initializing reserved inodes
+Git-commit: 5012284700775a4e6e3fbe7eac4c543c4874b559
+Patch-mainline: v4.18-rc7
+References: bsc#1104319
+
+Commit 8844618d8aa7: "ext4: only look at the bg_flags field if it is
+valid" will complain if block group zero does not have the
+EXT4_BG_INODE_ZEROED flag set. Unfortunately, this is not correct,
+since a freshly created file system has this flag cleared. It gets
+almost immediately after the file system is mounted read-write --- but
+the following somewhat unlikely sequence will end up triggering a
+false positive report of a corrupted file system:
+
+ mkfs.ext4 /dev/vdc
+ mount -o ro /dev/vdc /vdc
+ mount -o remount,rw /dev/vdc
+
+Instead, when initializing the inode table for block group zero, test
+to make sure that itable_unused count is not too large, since that is
+the case that will result in some or all of the reserved inodes
+getting cleared.
+
+This fixes the failures reported by Eric Whiteney when running
+generic/230 and generic/231 in the the nojournal test case.
+
+Fixes: 8844618d8aa7 ("ext4: only look at the bg_flags field if it is valid")
+Reported-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/ialloc.c | 5 ++++-
+ fs/ext4/super.c | 8 +-------
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1342,7 +1342,10 @@ int ext4_init_inode_table(struct super_b
+ ext4_itable_unused_count(sb, gdp)),
+ sbi->s_inodes_per_block);
+
+- if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group)) {
++ if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group) ||
++ ((group == 0) && ((EXT4_INODES_PER_GROUP(sb) -
++ ext4_itable_unused_count(sb, gdp)) <
++ EXT4_FIRST_INO(sb)))) {
+ ext4_error(sb, "Something is wrong with group %u: "
+ "used itable blocks: %d; "
+ "itable unused count: %u",
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3086,14 +3086,8 @@ static ext4_group_t ext4_has_uninit_itab
+ if (!gdp)
+ continue;
+
+- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))
+- continue;
+- if (group != 0)
++ if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)))
+ break;
+- ext4_error(sb, "Inode table for bg 0 marked as "
+- "needing zeroing");
+- if (sb->s_flags & MS_RDONLY)
+- return ngroups;
+ }
+
+ return group;
diff --git a/patches.fixes/ext4-fix-false-negatives-and-false-positives-in-ext4.patch b/patches.fixes/ext4-fix-false-negatives-and-false-positives-in-ext4.patch
new file mode 100644
index 0000000000..8a8e175282
--- /dev/null
+++ b/patches.fixes/ext4-fix-false-negatives-and-false-positives-in-ext4.patch
@@ -0,0 +1,55 @@
+From 44de022c4382541cebdd6de4465d1f4f465ff1dd Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 8 Jul 2018 19:35:02 -0400
+Subject: [PATCH] ext4: fix false negatives *and* false positives in
+ ext4_check_descriptors()
+Git-commit: 44de022c4382541cebdd6de4465d1f4f465ff1dd
+Patch-mainline: v4.18-rc7
+References: bsc#1103445
+
+Ext4_check_descriptors() was getting called before s_gdb_count was
+initialized. So for file systems w/o the meta_bg feature, allocation
+bitmaps could overlap the block group descriptors and ext4 wouldn't
+notice.
+
+For file systems with the meta_bg feature enabled, there was a
+fencepost error which would cause the ext4_check_descriptors() to
+incorrectly believe that the block allocation bitmap overlaps with the
+block group descriptor blocks, and it would reject the mount.
+
+Fix both of these problems.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2284,7 +2284,7 @@ static int ext4_check_descriptors(struct
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block);
+ ext4_fsblk_t last_block;
+- ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1;
++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0);
+ ext4_fsblk_t block_bitmap;
+ ext4_fsblk_t inode_bitmap;
+ ext4_fsblk_t inode_table;
+@@ -4006,13 +4006,12 @@ static int ext4_fill_super(struct super_
+ goto failed_mount2;
+ }
+ }
++ sbi->s_gdb_count = db_count;
+ if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
+ ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
+ ret = -EFSCORRUPTED;
+ goto failed_mount2;
+ }
+-
+- sbi->s_gdb_count = db_count;
+ get_random_bytes(&sbi->s_next_generation, sizeof(u32));
+ spin_lock_init(&sbi->s_next_gen_lock);
+
diff --git a/patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch b/patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch
new file mode 100644
index 0000000000..50f262d3e3
--- /dev/null
+++ b/patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch
@@ -0,0 +1,165 @@
+From 362eca70b53389bddf3143fe20f53dcce2cfdf61 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 10 Jul 2018 01:07:43 -0400
+Subject: [PATCH] ext4: fix inline data updates with checksums enabled
+Git-commit: 362eca70b53389bddf3143fe20f53dcce2cfdf61
+Patch-mainline: v4.18-rc7
+References: bsc#1104494
+
+The inline data code was updating the raw inode directly; this is
+problematic since if metadata checksums are enabled,
+ext4_mark_inode_dirty() must be called to update the inode's checksum.
+In addition, the jbd2 layer requires that get_write_access() be called
+before the metadata buffer is modified. Fix both of these problems.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200443
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/inline.c | 19 +++++++++++--------
+ fs/ext4/inode.c | 16 +++++++---------
+ 2 files changed, 18 insertions(+), 17 deletions(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -679,6 +679,10 @@ int ext4_try_to_write_inline_data(struct
+ goto convert;
+ }
+
++ ret = ext4_journal_get_write_access(handle, iloc.bh);
++ if (ret)
++ goto out;
++
+ flags |= AOP_FLAG_NOFS;
+
+ page = grab_cache_page_write_begin(mapping, 0, flags);
+@@ -707,7 +711,7 @@ int ext4_try_to_write_inline_data(struct
+ out_up_read:
+ up_read(&EXT4_I(inode)->xattr_sem);
+ out:
+- if (handle)
++ if (handle && (ret != 1))
+ ext4_journal_stop(handle);
+ brelse(iloc.bh);
+ return ret;
+@@ -749,6 +753,7 @@ int ext4_write_inline_data_end(struct in
+
+ ext4_write_unlock_xattr(inode, &no_expand);
+ brelse(iloc.bh);
++ mark_inode_dirty(inode);
+ out:
+ return copied;
+ }
+@@ -895,7 +900,6 @@ retry_journal:
+ goto out;
+ }
+
+-
+ page = grab_cache_page_write_begin(mapping, 0, flags);
+ if (!page) {
+ ret = -ENOMEM;
+@@ -913,6 +917,9 @@ retry_journal:
+ if (ret < 0)
+ goto out_release_page;
+ }
++ ret = ext4_journal_get_write_access(handle, iloc.bh);
++ if (ret)
++ goto out_release_page;
+
+ up_read(&EXT4_I(inode)->xattr_sem);
+ *pagep = page;
+@@ -933,7 +940,6 @@ int ext4_da_write_inline_data_end(struct
+ unsigned len, unsigned copied,
+ struct page *page)
+ {
+- int i_size_changed = 0;
+ int ret;
+
+ ret = ext4_write_inline_data_end(inode, pos, len, copied, page);
+@@ -951,10 +957,8 @@ int ext4_da_write_inline_data_end(struct
+ * But it's important to update i_size while still holding page lock:
+ * page writeout could otherwise come in and zero beyond i_size.
+ */
+- if (pos+copied > inode->i_size) {
++ if (pos+copied > inode->i_size)
+ i_size_write(inode, pos+copied);
+- i_size_changed = 1;
+- }
+ unlock_page(page);
+ page_cache_release(page);
+
+@@ -964,8 +968,7 @@ int ext4_da_write_inline_data_end(struct
+ * ordering of page lock and transaction start for journaling
+ * filesystems.
+ */
+- if (i_size_changed)
+- mark_inode_dirty(inode);
++ mark_inode_dirty(inode);
+
+ return copied;
+ }
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1268,9 +1268,10 @@ static int ext4_write_end(struct file *f
+ loff_t old_size = inode->i_size;
+ int ret = 0, ret2;
+ int i_size_changed = 0;
++ int inline_data = ext4_has_inline_data(inode);
+
+ trace_ext4_write_end(inode, pos, len, copied);
+- if (ext4_has_inline_data(inode)) {
++ if (inline_data) {
+ ret = ext4_write_inline_data_end(inode, pos, len,
+ copied, page);
+ if (ret < 0) {
+@@ -1298,7 +1299,7 @@ static int ext4_write_end(struct file *f
+ * ordering of page lock and transaction start for journaling
+ * filesystems.
+ */
+- if (i_size_changed)
++ if (i_size_changed || inline_data)
+ ext4_mark_inode_dirty(handle, inode);
+
+ if (pos + len > inode->i_size && ext4_can_truncate(inode))
+@@ -1372,6 +1373,7 @@ static int ext4_journalled_write_end(str
+ int partial = 0;
+ unsigned from, to;
+ int size_changed = 0;
++ int inline_data = ext4_has_inline_data(inode);
+
+ trace_ext4_journalled_write_end(inode, pos, len, copied);
+ from = pos & (PAGE_CACHE_SIZE - 1);
+@@ -1379,7 +1381,7 @@ static int ext4_journalled_write_end(str
+
+ BUG_ON(!ext4_handle_valid(handle));
+
+- if (ext4_has_inline_data(inode)) {
++ if (inline_data) {
+ ret = ext4_write_inline_data_end(inode, pos, len,
+ copied, page);
+ if (ret < 0) {
+@@ -1410,7 +1412,7 @@ static int ext4_journalled_write_end(str
+ if (old_size < pos)
+ pagecache_isize_extended(inode, old_size, pos);
+
+- if (size_changed) {
++ if (size_changed || inline_data) {
+ ret2 = ext4_mark_inode_dirty(handle, inode);
+ if (!ret)
+ ret = ret2;
+@@ -1909,11 +1911,7 @@ static int __ext4_journalled_writepage(s
+ }
+
+ if (inline_data) {
+- BUFFER_TRACE(inode_bh, "get write access");
+- ret = ext4_journal_get_write_access(handle, inode_bh);
+-
+- err = ext4_handle_dirty_metadata(handle, inode, inode_bh);
+-
++ ret = ext4_mark_inode_dirty(handle, inode);
+ } else {
+ ret = ext4_walk_page_buffers(handle, page_bufs, 0, len, NULL,
+ do_journal_get_write_access);
diff --git a/patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
new file mode 100644
index 0000000000..46fbfcf539
--- /dev/null
+++ b/patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
@@ -0,0 +1,39 @@
+From 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 15:40:48 -0400
+Subject: [PATCH] ext4: never move the system.data xattr out of the inode body
+Git-commit: 8cdb5240ec5928b20490a2bb34cb87e9a5f40226
+Patch-mainline: v4.18-rc4
+References: bsc#1099845 cve-2018-10880
+
+When expanding the extra isize space, we must never move the
+system.data xattr out of the inode body. For performance reasons, it
+doesn't make any sense, and the inline data implementation assumes
+that system.data xattr is never in the external xattr block.
+
+This addresses CVE-2018-10880
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200005
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/xattr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1438,6 +1438,11 @@ retry:
+ /* Find the entry best suited to be pushed into EA block */
+ entry = NULL;
+ for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
++ /* never move system.data out of the inode */
++ if ((last->e_name_len == 4) &&
++ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) &&
++ !memcmp(last->e_name, "data", 4))
++ continue;
+ total_size =
+ EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) +
+ EXT4_XATTR_LEN(last->e_name_len);
diff --git a/patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch b/patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch
new file mode 100644
index 0000000000..e4f1bbc4ad
--- /dev/null
+++ b/patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch
@@ -0,0 +1,38 @@
+From 0c8e3fe35db9b66ae0030849545030ec7c0fc45c Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 13 May 2018 22:40:30 -0400
+Subject: [PATCH] vfs: add the sb_start_intwrite_trylock() helper
+Git-commit: 0c8e3fe35db9b66ae0030849545030ec7c0fc45c
+Patch-mainline: v4.18-rc1
+References: bsc#1101841
+
+Needed by ext4 to test frozen fs before updating s_last_mounted.
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ include/linux/fs.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 760d8da1b6c7..cac41f1bad05 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1597,6 +1597,11 @@ static inline void sb_start_intwrite(struct super_block *sb)
+ __sb_start_write(sb, SB_FREEZE_FS, true);
+ }
+
++static inline int sb_start_intwrite_trylock(struct super_block *sb)
++{
++ return __sb_start_write(sb, SB_FREEZE_FS, false);
++}
++
+
+ extern bool inode_owner_or_capable(const struct inode *inode);
+
+--
+2.16.4
+
diff --git a/patches.kernel.org/4.4.140-022-jbd2-don-t-mark-block-as-modified-if-the-hand.patch b/patches.kernel.org/4.4.140-022-jbd2-don-t-mark-block-as-modified-if-the-hand.patch
index 2ae8205a46..bc03c0c4b2 100644
--- a/patches.kernel.org/4.4.140-022-jbd2-don-t-mark-block-as-modified-if-the-hand.patch
+++ b/patches.kernel.org/4.4.140-022-jbd2-don-t-mark-block-as-modified-if-the-hand.patch
@@ -2,7 +2,7 @@ From: Theodore Ts'o <tytso@mit.edu>
Date: Sat, 16 Jun 2018 20:21:45 -0400
Subject: [PATCH] jbd2: don't mark block as modified if the handle is out of
credits
-References: bnc#1012382
+References: bnc#1012382 bsc#1099863 cve-2018-10883
Patch-mainline: 4.4.140
Git-commit: e09463f220ca9a1a1ecfda84fcda658f99a1f12a
@@ -24,6 +24,7 @@ Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
---
fs/jbd2/transaction.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/patches.kernel.org/4.4.140-023-ext4-make-sure-bitmaps-and-the-inode-table-do.patch b/patches.kernel.org/4.4.140-023-ext4-make-sure-bitmaps-and-the-inode-table-do.patch
index 8000e7d5e2..967a5f0024 100644
--- a/patches.kernel.org/4.4.140-023-ext4-make-sure-bitmaps-and-the-inode-table-do.patch
+++ b/patches.kernel.org/4.4.140-023-ext4-make-sure-bitmaps-and-the-inode-table-do.patch
@@ -2,7 +2,7 @@ From: Theodore Ts'o <tytso@mit.edu>
Date: Wed, 13 Jun 2018 23:08:26 -0400
Subject: [PATCH] ext4: make sure bitmaps and the inode table don't overlap
with bg descriptors
-References: bnc#1012382
+References: bnc#1012382 bsc#1099813 cve-2018-10878
Patch-mainline: 4.4.140
Git-commit: 77260807d1170a8cf35dbb06e07461a655f67eee
@@ -19,6 +19,7 @@ Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
---
fs/ext4/super.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/patches.kernel.org/4.4.140-024-ext4-always-check-block-group-bounds-in-ext4_.patch b/patches.kernel.org/4.4.140-024-ext4-always-check-block-group-bounds-in-ext4_.patch
index ba3a0a3f0b..27a28db6f3 100644
--- a/patches.kernel.org/4.4.140-024-ext4-always-check-block-group-bounds-in-ext4_.patch
+++ b/patches.kernel.org/4.4.140-024-ext4-always-check-block-group-bounds-in-ext4_.patch
@@ -2,7 +2,7 @@ From: Theodore Ts'o <tytso@mit.edu>
Date: Wed, 13 Jun 2018 23:00:48 -0400
Subject: [PATCH] ext4: always check block group bounds in
ext4_init_block_bitmap()
-References: bnc#1012382
+References: bnc#1012382 bsc#1099813 cve-2018-10878
Patch-mainline: 4.4.140
Git-commit: 819b23f1c501b17b9694325471789e6b5cc2d0d2
@@ -18,6 +18,7 @@ Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
---
fs/ext4/balloc.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/patches.kernel.org/4.4.140-025-ext4-only-look-at-the-bg_flags-field-if-it-is.patch b/patches.kernel.org/4.4.140-025-ext4-only-look-at-the-bg_flags-field-if-it-is.patch
index 640b7b4302..f5542af466 100644
--- a/patches.kernel.org/4.4.140-025-ext4-only-look-at-the-bg_flags-field-if-it-is.patch
+++ b/patches.kernel.org/4.4.140-025-ext4-only-look-at-the-bg_flags-field-if-it-is.patch
@@ -1,7 +1,7 @@
From: Theodore Ts'o <tytso@mit.edu>
Date: Thu, 14 Jun 2018 00:58:00 -0400
Subject: [PATCH] ext4: only look at the bg_flags field if it is valid
-References: bnc#1012382
+References: bnc#1012382 bsc#1099811 cve-2018-10876
Patch-mainline: 4.4.140
Git-commit: 8844618d8aa7a9973e7b527d038a2a589665002c
@@ -24,6 +24,7 @@ Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
---
fs/ext4/balloc.c | 11 ++++++++++-
fs/ext4/ialloc.c | 14 ++++++++++++--
diff --git a/patches.kernel.org/4.4.140-026-ext4-verify-the-depth-of-extent-tree-in-ext4_.patch b/patches.kernel.org/4.4.140-026-ext4-verify-the-depth-of-extent-tree-in-ext4_.patch
index 4d72122808..800f65b425 100644
--- a/patches.kernel.org/4.4.140-026-ext4-verify-the-depth-of-extent-tree-in-ext4_.patch
+++ b/patches.kernel.org/4.4.140-026-ext4-verify-the-depth-of-extent-tree-in-ext4_.patch
@@ -1,7 +1,7 @@
From: Theodore Ts'o <tytso@mit.edu>
Date: Thu, 14 Jun 2018 12:55:10 -0400
Subject: [PATCH] ext4: verify the depth of extent tree in ext4_find_extent()
-References: bnc#1012382
+References: bnc#1012382 bsc#1099846 cve-2018-10877
Patch-mainline: 4.4.140
Git-commit: bc890a60247171294acc0bd67d211fa4b88d40ba
@@ -19,6 +19,7 @@ Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
---
fs/ext4/ext4_extents.h | 1 +
fs/ext4/extents.c | 6 ++++++
diff --git a/patches.kernel.org/4.4.140-028-ext4-clear-i_data-in-ext4_inode_info-when-rem.patch b/patches.kernel.org/4.4.140-028-ext4-clear-i_data-in-ext4_inode_info-when-rem.patch
index 3f6a7d8fb3..67c0cfbe41 100644
--- a/patches.kernel.org/4.4.140-028-ext4-clear-i_data-in-ext4_inode_info-when-rem.patch
+++ b/patches.kernel.org/4.4.140-028-ext4-clear-i_data-in-ext4_inode_info-when-rem.patch
@@ -2,7 +2,7 @@ From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 15 Jun 2018 12:28:16 -0400
Subject: [PATCH] ext4: clear i_data in ext4_inode_info when removing inline
data
-References: bnc#1012382
+References: bnc#1012382 bsc#1099864 cve-2018-10881
Patch-mainline: 4.4.140
Git-commit: 6e8ab72a812396996035a37e5ca4b3b99b5d214b
@@ -33,6 +33,7 @@ Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
---
fs/ext4/inline.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/patches.kernel.org/4.4.140-029-ext4-add-more-inode-number-paranoia-checks.patch b/patches.kernel.org/4.4.140-029-ext4-add-more-inode-number-paranoia-checks.patch
index 8805a3e68b..b5297e40b6 100644
--- a/patches.kernel.org/4.4.140-029-ext4-add-more-inode-number-paranoia-checks.patch
+++ b/patches.kernel.org/4.4.140-029-ext4-add-more-inode-number-paranoia-checks.patch
@@ -1,7 +1,7 @@
From: Theodore Ts'o <tytso@mit.edu>
Date: Sun, 17 Jun 2018 00:41:14 -0400
Subject: [PATCH] ext4: add more inode number paranoia checks
-References: bnc#1012382
+References: bnc#1012382 cve-2018-10882 bsc#1099849
Patch-mainline: 4.4.140
Git-commit: c37e9e013469521d9adb932d17a1795c139b36db
diff --git a/patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch b/patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch
new file mode 100644
index 0000000000..7149c8ff5a
--- /dev/null
+++ b/patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch
@@ -0,0 +1,113 @@
+From ebbf58173eb6b4ce30baa8a686a9b83cb91e80f6 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 22 Jun 2018 12:35:00 +0800
+Subject: [PATCH] btrfs: Don't remove block group still has pinned down bytes
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: https://github.com/kdave/btrfs-devel.git
+Git-commit: ebbf58173eb6b4ce30baa8a686a9b83cb91e80f6
+References: bsc#1086457
+
+[BUG]
+Under certain KVM load and LTP tests, it is possible to hit the
+following calltrace if quota is enabled:
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+
+WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30
+CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
+task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000
+RIP: 0010:blk_status_to_errno+0x1a/0x30
+Call Trace:
+ submit_extent_page+0x191/0x270 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ __do_readpage+0x2d2/0x810 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ __extent_read_full_page+0xe7/0x100 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ read_extent_buffer_pages+0x1ab/0x2d0 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ btree_read_extent_buffer_pages+0x94/0xf0 [btrfs]
+ read_tree_block+0x31/0x60 [btrfs]
+ read_block_for_search.isra.35+0xf0/0x2e0 [btrfs]
+ btrfs_search_slot+0x46b/0xa00 [btrfs]
+ ? kmem_cache_alloc+0x1a8/0x510
+ ? btrfs_get_token_32+0x5b/0x120 [btrfs]
+ find_parent_nodes+0x11d/0xeb0 [btrfs]
+ ? leaf_space_used+0xb8/0xd0 [btrfs]
+ ? btrfs_leaf_free_space+0x49/0x90 [btrfs]
+ ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots+0x45/0x60 [btrfs]
+ btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs]
+ btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs]
+ btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs]
+ insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs]
+ btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs]
+ ? pick_next_task_fair+0x2cd/0x530
+ ? __switch_to+0x92/0x4b0
+ btrfs_worker_helper+0x81/0x300 [btrfs]
+ process_one_work+0x1da/0x3f0
+ worker_thread+0x2b/0x3f0
+ ? process_one_work+0x3f0/0x3f0
+ kthread+0x11a/0x130
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x35/0x40
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 16384
+BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure
+BTRFS info (device vda2): forced readonly
+BTRFS error (device vda2): pending csums is 2887680
+
+[CAUSE]
+It's caused by race with block group auto removal:
+
+- There is a meta block group X, which has only one tree block
+ The tree block belongs to fs tree 257.
+- In current transaction, some operation modified fs tree 257
+ The tree block get COWed, so the block group X is empty, and marked as
+ unused, queued to be deleted.
+- Some workload (like fsync) wakes up cleaner_kthread()
+ Which will call btrfs_delete_unused_bgs() to remove unused block
+ groups.
+ So block group X along its chunk map get removed.
+- Some delalloc work finished for fs tree 257
+ Quota needs to get the original reference of the extent, which will
+ read tree blocks of commit root of 257.
+ Then since the chunk map get removed, the above warning gets triggered.
+
+[FIX]
+Just let btrfs_delete_unused_bgs() to skip block group which still has
+pinned bytes.
+
+However there is a minor side effect, since currently we only queue
+empty blocks at update_block_group(), and such empty block group with
+pinned bytes won't go through update_block_group() again, such block
+group won't be removed, until it get new extent allocated and removed.
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 0ca3999356c7..37d8927015d9 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10702,7 +10702,7 @@ void btrfs_delete_unused_bgs(struct btrfs_fs_info *fs_info)
+ /* Don't want to race with allocators so take the groups_sem */
+ down_write(&space_info->groups_sem);
+ spin_lock(&block_group->lock);
+- if (block_group->reserved ||
++ if (block_group->reserved || block_group->pinned ||
+ btrfs_block_group_used(&block_group->item) ||
+ block_group->ro ||
+ list_is_singular(&block_group->list)) {
+--
+2.18.0
+
diff --git a/series.conf b/series.conf
index e45dc46ba0..8ed5daba63 100644
--- a/series.conf
+++ b/series.conf
@@ -7591,6 +7591,17 @@
patches.fixes/ext4-prevent-data-corruption-with-inline-data-DAX.patch
patches.fixes/ext4-prevent-data-corruption-with-journaling-DAX.patch
patches.fixes/ext4-Fix-hole-length-detection-in-ext4_ind_map_block.patch
+ patches.fixes/ext4-fix-false-negatives-and-false-positives-in-ext4.patch
+ patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch
+ patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch
+ patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch
+ patches.fixes/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
+ patches.fixes/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
+ patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
+ patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
+ patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch
+ patches.fixes/ext4-factor-out-helper-ext4_sample_last_mounted.patch
+ patches.fixes/ext4-do-not-update-s_last_mounted-of-a-frozen-fs.patch
########################################################
# btrfs
@@ -8037,6 +8048,7 @@
patches.suse/btrfs-8060-syslog-when-quota-is-disabled.patch
patches.suse/btrfs-8447-serialize-subvolume-mounts-with-potentially-mi.patch
patches.suse/btrfs-change-how-we-decide-to-commit-transactions-du.patch
+ patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch
patches.suse/0001-Btrfs-make-add_pinned_bytes-take-an-s64-num_bytes-in.patch
patches.suse/0002-Btrfs-make-BUG_ON-in-add_pinned_bytes-an-ASSERT.patch
@@ -20780,6 +20792,10 @@
patches.arch/powerpc-fadump-exclude-memory-holes-while-reserving-.patch
patches.arch/powerpc-fadump-Do-not-use-hugepages-when-fadump-is-a.patch
+ # bsc#1103269
+ patches.arch/powerpc-fadump-handle-crash-memory-ranges-array-inde.patch
+ patches.arch/powerpc-fadump-merge-adjacent-memory-ranges-to-reduc.patch
+
# bsc#1044596
patches.fixes/0001-kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch